Hi Chris, Can you send the configs of the Aironet? With those "Fat" access point, you cannot use the same VLAN on both the MAC Auth and the Secure SSID.
This is an hardware limitation. Usually, you have two options : - Auto register devices that are authenticated using 802.1X. You will have only : vlan 6 in the Secure SSID section - Create another registration VLAN for the secure network. You will have : vlan 202 backup 6 in the Secure SSID section I have an Aironet configuration example if you want. Another thing you need to check is the wireless deauthentication. With the Aironets, we use CLI, so make sure the credentials are properly set in the switches.conf for that device. You can test it manually using the following: /usr/local/pf/bin/pfcmd_vlan -deauthentication -switch SWITCH_IP -mac MAC -verbose 4 I hope this helps. > Hello Francois, > > Thanks for the response. > > Radius, in all cases is acting perfectly and, in debug mode or not, > returns 'validation' - 'ok'. For EAP connections, it validates the > connection and for 'public' connections (requiring the captive portal) > it returns 'ok' with a reference to vlan 102 (our registration > vlan). I think that there is no problem there. > > At this point it seems that PacketFence is doing everything correctly > and that our problem lies in the access point config. I have radically > simplified the AP config in an attempt to isolate the issue. All the > encrypted EAP encrypted vlans, etc. have been removed and have only > our 'public' vlan (for the captive portal) and vlan 102 (registration) > and vlan 103 (isolation) are implemented. After the captive portal is > working I will add back the EAP vlans. > > I could not get an IP address until I removed the encryption for vlan > 6 under the Dot11Radio0 interface. I removed : > > encryption vlan 6 mode ciphers aes-ccm > > (This line is present in your example config for the Cisco Aironet > 1250 for the 'normal' vlan. This corresponds to the PacketFence-Public > SSID.) > > However, the captive portal is only *sometimes* invoked and, usually, > even though the MAC is unregistered by PF, a regular connection to > vlan 6 is made. That is, the vlan is *not* changed to 102 (our > registration vlan) and an IP address is *not* assigned by the PF DHCP > server !!! > > The packetfence.log contains entries stopping the deauthentication > trap from the access point and a warning that is 'unable to parse the > trapline'. 'doWeActOnThisTrap' then returns false and the > dot11Deauthentication handling is stopped. I'd be happy to send the > exact lines if you think they are relevant. > > I must back up here and ask you a simple overview question : why are > both the 'public' and the 'registration' vlans encrypted as above in > the example. Perhaps I'm missing something obvious but it would seem > that they should be open ... > > Very interested in what you have to say. > > Best wishes for the new year, > > Chris > > On Mon 3.Jan'11 at 10:18:04 -0500, Francois Gaudreault wrote: >> Chris, >> >> If you manually turn off, and turn back on the radio, are you able to >> get an IP at all? >> >> What radius tells you in debug mode? >> >> On 10-12-30 3:38 PM, cg wrote: >> > Hello List, >> > >> > Hope everyone here will have a great and auspicious new year. >> > >> > Closing in on our Debian adaptation of version 2.0.0 ; the wifi side >> > of things is showing validation by radius and an *almost* working >> > captive portal. Can anyone comment on the following log results ? >> > >> > >> > Dec 30 21:18:51 pf::WebAPI(5578) INFO: handling radius autz request: >> > from switch_ip => nnn.nnn.nnn.nnn, connection_type => >> > Wireless-802.11-NoEAP mac => aa:bb:cc:dd:ee:ff, port => 604, >> username >> > => aabbccddeeff (pf::radius::authorize) >> > Dec 30 21:18:51 pf::WebAPI(5578) WARN: Unable to extract SSID for >> > module pf::SNMP::Cisco::Aironet_1250. SSID-based VLAN assignments >> > won't work. Please let us know so we can add support for >> > it. (pf::SNMP::extractSsid) >> > Dec 30 21:18:51 pf::WebAPI(5578) INFO: MAC: aa:bb:cc:dd:ee:ff is of >> > status unreg; belongs into registration VLAN >> > (pf::vlan::getRegistrationVlan) >> > Dec 30 21:18:51 pf::WebAPI(5578) INFO: Returning ACCEPT with VLAN: 102 >> > (pf::radius::authorize) >> > Dec 30 21:18:54 pfsetvlan(17) WARN: unable to parse trapLine.. here's >> > the line: nnn.nnn.nnn.nnn||dot11Deauthentication|||aa:bb:cc:dd:ee:ff >> > (main::startTrapHandlers) >> > Dec 30 21:18:54 pfsetvlan(17) INFO: nb of items in queue: 1; nb of >> > threads running: 0 (main::startTrapHandlers) >> > Dec 30 21:18:54 pfsetvlan(17) INFO: doWeActOnThisTrap returns >> > false. Stop dot11Deauthentication handling (main::handleTrap) >> > Dec 30 21:18:54 pfsetvlan(17) INFO: finished >> > (main::cleanupAfterThread) >> > >> > >> > The wifi widget always reports 'searching for an ip address' and the >> > captive portal never appears and the ap doesn't show an association. >> > >> > vlan 102 is our registration vlan ; the ap configuration is as close >> > to the example as we could get it (but with snmp config, etc. for the >> > deauthenticate trap) >> > >> > >> > A good weekend and best wishes ... >> > >> > Chris > > ------------------------------------------------------------------------------ > Learn how Oracle Real Application Clusters (RAC) One Node allows customers > to consolidate database storage, standardize their database environment, > and, > should the need arise, upgrade to a full multi-node Oracle RAC database > without downtime or disruption > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
